Thank you Steve, for your answer. To your questions:
> How do you have the load balanced rules set? are they persistent in a > file that is always run from server start up? -> I have a startup script, that sets the Firewall NAT rules on every startup of the system in RC4. Every few hours f2b reloads the Firewall rules from its database (according to the log) and when that happens the NAT rules vanish from my server - leading to a STOP in service, as the loadbalancing breaks. The time this happens is every few hours and always goes hand in hand with the time in the f2b log where the system does the before mentioned process of "resetting" and loading stuff from its database. So I have a strong bias towards f2b being the "culprit" as this is the only process that fiddles around with the IPtables in the first instance. I also noticed very strange things: <snip> 2016-04-07 13:22:19,849 fail2ban.filter [3526]: INFO [ssh] Found 183.3.202.xxx 2016-04-07 13:22:20,294 fail2ban.actions [3526]: NOTICE [sshd] 183.3.202.200 already banned 2016-04-07 13:22:21,836 fail2ban.filter [3526]: INFO [ssh] Found 183.3.202.xxx 2016-04-07 13:22:21,837 fail2ban.filter [3526]: INFO [sshd] Found 183.3.202.xxx 2016-04-07 13:22:28,687 fail2ban.filter [3526]: INFO [sshd] Found 183.3.202.xxx 2016-04-07 13:22:28,688 fail2ban.filter [3526]: INFO [ssh] Found 183.3.202.xxx 2016-04-07 13:22:30,912 fail2ban.filter [3526]: INFO [ssh] Found 183.3.202.xxx 2016-04-07 13:22:30,913 fail2ban.filter [3526]: INFO [sshd] Found 183.3.202.xxx 2016-04-07 13:22:31,306 fail2ban.actions [3526]: NOTICE [sshd] 183.3.202.xxx already banned 2016-04-07 13:22:31,857 fail2ban.actions [3526]: NOTICE [ssh] 183.3.202.xxx already banned 2016-04-07 13:22:42,443 fail2ban.filter [3526]: INFO [sshd] Found 183.3.202.xxx 2016-04-07 13:22:42,445 fail2ban.filter [3526]: INFO [ssh] Found 183.3.202.xxx 2016-04-07 13:22:44,260 fail2ban.filter [3526]: INFO [sshd] Found 183.3.202.xxx 2016-04-07 13:22:44,260 fail2ban.filter [3526]: INFO [ssh] Found 183.3.202.xxx 2016-04-07 13:22:50,860 fail2ban.filter [3526]: INFO [sshd] Found 183.3.202.xxx 2016-04-07 13:22:50,861 fail2ban.filter [3526]: INFO [ssh] Found 183.3.202.xxx 2016-04-07 13:22:51,329 fail2ban.actions [3526]: NOTICE [sshd] 183.3.202.xxx already banned 2016-04-07 13:22:53,105 fail2ban.filter [3526]: INFO [sshd] Found 183.3.202.xxx 2016-04-07 13:22:53,106 fail2ban.filter [3526]: INFO [ssh] Found 183.3.202.xxx 2016-04-07 13:23:00,356 fail2ban.filter [3526]: INFO [ssh] Found 183.3.202.xxx 2016-04-07 13:23:00,358 fail2ban.filter [3526]: INFO [sshd] Found 183.3.202.xxx 2016-04-07 13:23:01,974 fail2ban.filter [3526]: INFO [ssh] Found 183.3.202.xxx 2016-04-07 13:23:01,975 fail2ban.filter [3526]: INFO [sshd] Found 183.3.202.xxx 2016-04-07 13:23:02,342 fail2ban.actions [3526]: NOTICE [sshd] 183.3.202.xxx already banned 2016-04-07 13:23:02,893 fail2ban.actions [3526]: NOTICE [ssh] 183.3.202.xxx already banned root@xxx:~# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination root@bmn1:~# sudo iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination The chain rules seem to be empty ... root@xxx:~# service fail2ban restart * Restarting authentication failure monitor fail2ban root@xxx:~# iptables -n -L Chain INPUT (policy ACCEPT) target prot opt source destination f2b-hn-apache-retry-ban tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 f2b-apache tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 f2b-ssh tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22 f2b-php-url-fopen tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 f2b-apache-nohome tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 f2b-apache-overflows tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 f2b-apache-badbots tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 f2b-sshd tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain f2b-apache (1 references) target prot opt source destination RETURN all -- 0.0.0.0/0 0.0.0.0/0 Chain f2b-apache-badbots (1 references) target prot opt source destination RETURN all -- 0.0.0.0/0 0.0.0.0/0 Chain f2b-apache-nohome (1 references) target prot opt source destination RETURN all -- 0.0.0.0/0 0.0.0.0/0 Chain f2b-apache-overflows (1 references) target prot opt source destination RETURN all -- 0.0.0.0/0 0.0.0.0/0 Chain f2b-hn-apache-retry-ban (1 references) target prot opt source destination RETURN all -- 0.0.0.0/0 0.0.0.0/0 Chain f2b-php-url-fopen (1 references) target prot opt source destination RETURN all -- 0.0.0.0/0 0.0.0.0/0 Chain f2b-ssh (1 references) target prot opt source destination REJECT all -- 221.229.162.xxx 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- 183.3.202.xxx 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- 111.13.70.xxx 0.0.0.0/0 reject-with icmp-port-unreachable RETURN all -- 0.0.0.0/0 0.0.0.0/0 Chain f2b-sshd (1 references) target prot opt source destination REJECT all -- 221.229.162.xxx 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- 186.228.90.xxx 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- 183.3.202.xxx 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- 14.139.46.xxx 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- 111.13.70.xxx 0.0.0.0/0 reject-with icmp-port-unreachable RETURN all -- 0.0.0.0/0 0.0.0.0/0 After an explicit restart, the system seems to be up and running again ... I feel a bit at loss here ... Thanks for any hints! Alexander > By design, f2b (when restarting) unblocks all blocked IP addresses > within its own DB, it then removes the f2b chains from iptables. It then > starts up creating the chains and re-adds the IP's that are within the > selected time scale of bans. > > It does not remove anything other than its own chains in IPtables. > > How do you have the load balanced rules set? are they persistent in a > file that is always run from server start up? > > I have a reset firewall script that once f2b is shutdown, i run and it > reloads my own pre-set rules on iptables, then i fire up f2b, i've never > had it remove rules, or chains that are not starting "f2b-chainname" > (i.e f2b-php-url-open) etc. > > if you do a iptables -n -L do your f2b chains all start with chain f2b- ? > if the f2b chains are missing and all your rules are not starting as > above, i suppose there is a chance it could remove rules it never > created, although i would doubt that. > > I hope this helps a little. > > Steve --- Diese E-Mail wurde von Avast Antivirus-Software auf Viren geprüft. https://www.avast.com/antivirus ------------------------------------------------------------------------------ _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
